Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

Affected Packages

Packagist magento/community-edition

Affected versions: 2.4.7-beta1 (fixed in 2.4.7-beta2)

Packagist magento/community-edition

Affected versions: 2.4.6-p1 (fixed in 2.4.6-p3)

Packagist magento/community-edition

Affected versions: 2.4.5-p1 (fixed in 2.4.5-p5)

Packagist magento/community-edition

Affected versions: 2.4.4-p1 (fixed in 2.4.4-p6)

Packagist magento/project-community-edition

Affected versions: 0 (last affected: 2.0.2)

Related CVEs

CVE-2023-38221

Key Information

GHSA ID

GHSA-ggr8-3hwx-4f2m

Published

October 13, 2023 9:30 AM

Last Modified

March 4, 2025 6:27 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.